Naavi.org

At a time when BIS is considering re-inventing a framework for Compliance for Privacy  in India, it is necessary to recognize how the DGPSI framework (Data Governance and Protection Standard of India used by FDPPI) has been thinking ahead of the requirements.

In one of the recent Security Studies in USA released on April 7, 2026, it was found that in the health care sector the security breaches involving third parties increased from 15% to 30%. This highlights the need for securing data processed by Data Fiduciaries with the assistance of Data Processors.

If you are a Data Fiduciary, you would therefore think of choosing a Data Processor who empathizes with your exposure to DPDPA liabilities and responds with empathy.

It  is in this context that DGPSI developed a framework called DGPSI-DP meant  for voluntary adoption of a compliance framework by Data Processors.

The normal response of sceptics could be…

“Even the Data Fiduciaries have not adopted compliance, where is the need for Data Processors who have no liability under DPDPA to adopt a compliance framework?”

It is certainly a valid question given the priorities of organizations. But wise corporate managers will realize that it is always better to go with a Data Processor who understands our problems better and has shown an inclination to be DPDPA Compliant even before it is considered mandatory by the law.

Developing an army of such “Trusted Data Processors” is the objective of the framework DGPSI-DP.

A brief view of the framework is already available here:

One can also view the detailed presentation of Naavi made to an open house.

It is time industry recognizes that “What FDPPI thinks today, is what others think  day after tomorrow”

We hope BIS recognizes the futility of re-inventing the wheel by working on a new Privacy Framework from the beginning rather than adopting DGPSI.

Naavi

Naavi

The initiative of DSCI and BIS to work on a framework for compliance under a working group ISO/IEC JTC 1/ SC 27/WG 5 – Privacy Protection & Personal Data Governance is a notable development.

It is good that 3 years after the passing of the DPDPA 2023 and also after the Draft Guidelines of BIS on Data Governance ,  an effort is being initiated to develop a standard for Data Protection .

It is however necessary to point out that this work should not end up as  a “Reinvention of the Wheel”.

We draw the attention of BIS to the existing framework “DGPSI”  or Data Governance and Protection Standard of India which

1. Is a framework developed by an organization of the professionals  namely the FDPPI which is a Section 8 company, exclusively for the Indian scenario
2. FDPPI does not carry the vested interests of the Big Tech
3. The DGPSI Framework is available as a Public Document
4. The Framework is already under implementation by many auditors
5. The Framework comes with variations such as
   1. DGPSI Full
   2. DGPSI Lite (For SMEs)
   3. DGPSI-AI (For AI deployers)
   4. DGPSI-HR (For HR systems)
   5. DGPSI-DP (For Data Processors)
   6. DGPSI-GDPR (For GDPR Compliance)

Documents are available in the form of published printed books and on different websites.

These frameworks could be adopted and fine tuned by BIS into modified frameworks.  It is therefore not necessary for BIS to start a new work from scratch.

We note that BIS is trying to collaborate with DSCI an arm of NASSCOM,  which is strongly influenced by the Big Tech Companies. It is well known that DSCI had filed a dissent note to the Justice Srikrishna Committee in support of the Big Tech Industry along with the many opposition politicians.

We foresee that the framework development process is likely to be under the influence of the Big Tech and not be independent.

We are sure that BIS would have examined this aspect and it would be interesting to understand the logic of BIS in not considering the upgradation of DGPSI into a BIS framework and opting to go for a different exercise for development from scratch.

Even now the BIS  committee can hit the ground running if it picks up the DGPSI framework as the foundation and work a new BIS version.

DGPSI has already has incorporated the August 2023 draft guidelines released by BIS on Data Governance and Data Protection. It is already in the next level of compliance requirement  addressing the requirement of deployment of AI by Data Fiduciaries, the special requirements of the HR sector, SME Sector. It is ready with a recommended framework for the Data Processors and even for the GDPR network.

Hence it does not seem logical that the DGPSI input is excluded from the work of BIS.

We request that BIS may  set up a separate committee to  study these frameworks and if found necessary, reject them before they invest on the new working group.

We draw the attention of the MeitY and the Standing Committee on IT in the Parliament to take the lead in setting up such a  committee so that a proper logic be built  on the need for a new effort at a higher cost rather than modification of the existing frameworks.

DGPSI is a framework made in India for the world..not as a mere slogan, but as a concrete work. FDPPI accepts that the framework can be improved and request BIS to study the framework and if possible adopt it as BIS-DGPSI framework.

We await the top management of BIS  and the Ministry of Consumer Affairs to react to this proposition.

PS: A copy of this note is being forwarded separately to BIS for necessary action.

Refer:

Article on naavi.org:  IS17428 and PDPSI

Draft Guidelines of BIS released in August 2023

FAQ on DGPSI

The Association of Independent Data Auditors of India (AIDAI) was launched in Bengaluru on 11th April 2026 at WoodRose Club, JP Nagar, Bengaluru, 2026.

Though the live broadcast on the YouTube could not be organized as planned, the rest of the program went on successfully.

During the event, Mr Nagendra Javagal welcomed the audience. Mr Ramesh  Venkataraman presented the activities of FDPPI. Naavi introduced the Concept of AIDAI. Mr Vijayendra Shenoy, the CEO of AIDAI shared his plan for the coming years. Mr R Srivatsa proposed the Vote of Thanks

Representatives from different Audit Communities such as Mr Sudarshan Mandyam, Mr B. Jayachandran, Mr Madhava Murthy, as well as Mr Manish as representative of BSPIN and Dr Prashant Koranne as representative of the Data Audit Community from Mumbai were present during the occasion.

A Copy of the Book, Wisdom Companion for Champions of DPDPA Compliance was formally unveiled during the occasion.  Some of the guests spoke during the occasion and shared their views.

During the event empanelment process was also  launched.

AIDAI has started with the ambition of unifying the Auditors scattered across multiple accreditation agencies organizations onto a single platform.  This concept is not natural to the Indian Psyche but an attempt is being made by FDPPI and AIDAI to achieve what is not easy to achieve. I hope this time it is different.

Naavi

Report in Deccan Herald on 12th April 2026:

FDPPI has been in the forefront of being a “Guardian of Privacy”. The DGPSI framework provided the “Jurisprudential interpretation” of DPDPA 2023 for Data Fiduciaries to work on “Compliance By Design”. During this phase we started creating the  skills of a DPO. Many other organizations emulated FDPPI and created their own brands of DPO certifications.

Now the next phase of auditing of the implementation created by these DPOs has begun. After 13th May 2027, Significant Data Fiduciaries need to mandatorily have an “Independent Data Auditor” in place and will be looking around for not DPOs but Data Auditors.

FDPPI has now taken the necessary big step to create an eco system for “Data Auditors” to develop, acquire necessary skills and use the tools already created in the form of DGPSI frameworks.

Tomorrow the new era of “Independent Data Auditors” will begin in India with the launch of the “Association of Independent Data Auditors”.

This profession is a creation of the statute and the word “Independent” signifies that the data auditor must not have any conflict with the Data Fiduciary. They need to also be able to conduct Annual Compliance Audit of DPDPA compliance, DPIA, Audit of algorithms and even report significant observations to the DPB.

They will initially be monitoring the Significant Data Fiduciaries before other wise Data Fiduciaries also decide to err on the safer side with audit from such data auditors as a best practice.

In effect, they will be the eyes and ears of DPB to provide accountability to the compliance efforts.

FDPPI has therefore decided to catalyze the formation of the “Association of Independent Data Auditors of India” or AIDAI and is launching the new entity. Presently it is a division of FDPPI and will be headed  by a CEO, supported by a Governance Committee and guided by a cross industry Advisory Board.

A unique aspect of this AIDAI of FDPPI is that the doors are kept open for different kinds of professionals to be engaged with the organization.

At the Foundation level, any professional including the freshers  are encouraged to join the community as “Probationary Independent Data Auditors”. They can learn, associate with others and grow to be the future Independent Data Auditors.

Inevitably, FDPPI will have a Cadre of “Certified Independent Data Auditors” since it is already conducting programs for C.DPO.DA. where the traditional DPO certification was already extended to the Data Audit requirements. Now the Certification program will be divided into CEDPO (Certified Elite DPO) and CIDA (Certified Internal Data Auditor). They will be empanelled at AIDAI after a fresh online examination.

The most  significant aspect of AIDAI is that it is built on the principle of “Vasudaiva Kutumbakam” or “World is one family” .

The empanelment is therefore open to professionals trained and accredited by other organizations including DSCI or Lead Auditors of ISO family and other similar Data Protection or Information Security oriented organizations and also to other professional organizations like the ICAI, CMA or ICSI.

Such accredited agencies will be empanelled on the basis of validation of credentials.

At this point of time, it is the vision of AIDAI to be a unified platform for all professionals who conduct “Audits” in the all  pervasive medium of “Data” and  also break down the differences if any that exist between different professional groups.

We hope all will respond to this new way of thinking…

We invite all to engage with AIDAI and grow together.

Naavi